BLACK HILLS CORP /SD/ - (BKH)
10-K Filing Date: February 14, 2024
The utility industry has been the target of several cyberattacks on operational systems and has seen an increased volume and sophistication of cybersecurity incidents from international activist organizations, other nation state actors and individuals. We expect to continue to experience attempts to compromise our information technology and control systems, network infrastructure and other assets. To date, we have not experienced a cybersecurity incident that has had a material impact on our business or results of operations.
Risk Management and Strategy
Our enterprise risk management program, which includes cybersecurity risks that are identified through our cybersecurity risk management program, is designed to identify, report, and manage relevant material risks and opportunities.
Management of the identified risks is embedded into business processes and key decision making at every level of the Company. Our enterprise risk management team works closely with our Chief Security Officer ("CSO") and IT risk management team to evaluate and address material cybersecurity risks in alignment with our business strategy and operational needs.
30
We have a cybersecurity risk management program that is managed by a team of full-time cybersecurity professionals that utilizes a variety of tools and techniques to identify and assess material cybersecurity threats, their potential impact and opportunities for mitigation. The industry-standard security frameworks that we apply to our cyber environment include various security and risk assessments, such as internal threat assessments and internal control self-assessments. Because we are aware of the risks associated with third-party providers, we conduct third-party provider security assessments and benchmarking before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. These assessments include evaluation of risk profiles through vendor questionnaires, review of System and Organization Controls attestation reports and monitoring on an ongoing basis by our IT risk management team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.
We regularly engage with third-party assessors and auditors as part of our ongoing cybersecurity risk assessment process to leverage specialized knowledge and insights and to identify areas for continued focus, improvement, compliance and effectiveness of mitigation. We also utilize government and industry-related security intelligence sources, and actively participate in industry peer groups and public-private partnerships to assist in the identification of potential threats. We conduct ongoing cybersecurity training and monthly email phishing drills for all employees.
We also have a cybersecurity incident response plan and procedures to manage cybersecurity incidents. These procedures include steps to identify, classify, communicate, contain, eradicate, and recover from a cybersecurity incident. These procedures also include notification to a cross-functional management team to assess incident materiality and an escalation process to members of our senior management team and our Board of Directors.
Governance
Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Our Chief Information Officer provides our Board of Directors quarterly reports that summarize material cybersecurity threats and the countermeasures taken to mitigate the associated risks. These reports address a variety of topics including updates on strategic cyber initiatives, industry trends, threat vulnerability assessments, and efforts to prevent, detect and respond to internal and external critical threats. From time to time, our Board of Directors also engages third-party consultants to provide further education about cybersecurity risks.
Our cybersecurity risk management program, which is discussed above, is led by our CSO, who has 28 years of prior work experience in various roles involving managing information security of large-scale global security operations, including developing cybersecurity strategy and implementing effective information and cybersecurity programs. Our CSO maintains industry certifications, including an ISC2 Certified Information Systems Security Professional certification.
Through oversight of the cybersecurity risk management program, our CSO is continually informed about the status of the program, including the effectiveness of the process and controls to monitor, prevent, detect, mitigate, and remediate cybersecurity incidents. The CSO is also made aware of the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CSO, in his capacity, regularly informs the Chief Information Officer and other members of our senior management team of all aspects related to cybersecurity risks and incidents.